<!--
  Licensed to the Apache Software Foundation (ASF) under one or more
  contributor license agreements.  See the NOTICE file distributed with
  this work for additional information regarding copyright ownership.
  The ASF licenses this file to You under the Apache License, Version 2.0
  (the "License"); you may not use this file except in compliance with
  the License.  You may obtain a copy of the License at

      http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.
-->
<!-- Note: To understand how this template is used, see the documentation
  at http://forrest.apache.org/howto/howto-asf-mirror.html
-->
<html>
  <head>
    <title>Obtain the Apache Santuario distribution</title>
  </head>
  <body>
    <h1><a name="how" />How to download</h1>
    <p>
      Use the links below to download a distribution of Apache Santuario from one
      of our mirrors. It is good practice to <a href="[location]#verify">verify
      the integrity</a> of the distribution files.
      Apache Santuario releases are available under the
      <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>
      - see the README.txt and LICENSE.txt and NOTICE.txt files contained in each release artifact.
    </p>
    <h1><a name="closest" />Current official release (closest mirror site selected automatically)</h1>
    <p>
      You are currently using
      <b>[preferred]</b>
      . If you encounter a problem with this mirror, then please select another.
      If all mirrors are failing, there are backup mirrors at the end of the
      list. See <a href="http://www.apache.org/mirrors/">status</a> of mirrors.
    </p>
    <form action="[location]" method="get" id="SelectMirror">
Other mirrors: <select name="Preferred">
<!--[if-any http] [for http]-->
        <option value="[http]">[http]</option>
<!--[end] [end]-->
<!--[if-any ftp] [for ftp]-->
        <option value="[ftp]">[ftp]</option>
<!--[end] [end]-->
<!--[if-any backup] [for backup]-->
        <option value="[backup]">[backup] (backup)</option>
<!--[end] [end]-->
      </select>
      <input type="submit" value="Change" />
    </form>
    <p>
    The current Java release is XML Security 1.4.4:
<a href="[preferred]/santuario/java-library/xml-security-bin-1_4_4.zip">xml-security-bin-1_4_4.zip</a>
[<a href="http://www.apache.org/dist/santuario/java-library/xml-security-bin-1_4_4.zip.asc">PGP</a>]
[<a href="http://www.apache.org/dist/santuario/java-library/xml-security-bin-1_4_4.zip.md5">MD5</a>]</li>
    </p>
    <p>
    The current C++ release is XML Security 1.6.0:
<a href="[preferred]/santuario/c-library/xml-security-c-1.6.0.tar.gz ">xml-security-c-1.6.0.tar.gz</a>
[<a href="http://www.apache.org/dist/santuario/c-library/xml-security-c-1.6.0.tar.gz.asc">PGP</a>]
[<a href="http://www.apache.org/dist/santuario/c-library/xml-security-c-1.6.0.tar.gz.md5">MD5</a>]</li>
    </p>
    <h1><a name="archive" />Archive of old releases</h1>
    <p>
      Older releases are available in the
      <a
href="http://archive.apache.org/dist/santuario/">archive</a>.
    </p>
    <h1><a name="verify" />Verify releases</h1>
    <p>
      It is essential that you verify the integrity of the downloaded files
      using the MD5 and PGP signatures. MD5 verification ensures the file was
      not corrupted or tampered with. PGP verification ensures that the file
      came from a certain person.
    </p>
    <h2><a name="pgp" />PGP Signature</h2>
    <p>
      The PGP signatures can be verified using
      <a href="http://www.pgpi.org/">PGP</a> or
      <a href="http://www.gnupg.org/">GPG</a>. First download the Apache Santuario
      <a href="http://www.apache.org/dist/santuario/KEYS">KEYS</a> as well as the
      <code>*.asc</code> signature file for the particular distribution. It is
      important that you get these files from the ultimate trusted source - the
      main ASF distribution site, rather than from a mirror. Then verify the
      signatures using ...
    </p>
    <pre>
% pgpk -a KEYS
% pgpv xml-security-bin-1_4_4.zip.asc
  <em>or</em>
% pgp -ka KEYS
% pgp xml-security-bin-1_4_4.zip.asc
  <em>or</em>
% gpg --import KEYS
% gpg --verify xml-security-bin-1_4_4.zip.asc
</pre>

    <h2><a name="md5" />MD5 Checksum</h2>
    <p>
      To verify the MD5 checksum on the files, you need to use a program called
      <code>md5</code> or <code>md5sum</code>, which is included in many unix
      distributions. It is also available as part of
      <a href="http://www.gnu.org/software/textutils/textutils.html">GNU
      Textutils</a>. Windows users can get binary md5 programs from
      <a
href="http://www.fourmilab.ch/md5/">here</a>,
      <a
href="http://www.pc-tools.net/win32/freeware/console/">here</a>, or
      <a href="http://www.slavasoft.com/fsum/">here</a> or an openssl client
      from
      <a href="http://www.slproweb.com/products/Win32OpenSSL.html">here</a>.
    </p>
    <pre>
% md5sum xml-security-X.Y.tar.gz
... output should match the string in xml-security-X.Y.tar.gz.md5
</pre>
    <p>
      We strongly recommend you verify your downloads with both PGP and MD5.
    </p>
  </body>
</html>
